Frontier Communications (FTR:US) CEO Maggie Wilderotter had some advice for her top 10 executives last week as they discussed ways to prevent hacks like the one that exposed Sony Corp. (6758)’s e-mail secrets:
Pick up the phone.
“If employees have something sensitive to discuss, they should pick up the phone or walk over to a colleague’s desk to talk,” Wilderotter said. Among the practices she wants workers retrained to follow: deleting e-mails frequently, changing passwords every 30 to 45 days, and “never putting in an e-mail anything you wouldn’t mind everyone reading on the Internet.”
Companies such as Frontier, the Stamford, Connecticut-based provider of phone and data services, are tightening security policies as the damage mounts from the hacking attack on Sony’s computers in November. The reckoning is pushing more U.S. workers to go old-school, reverting to phone calls and face-to-face-meetings. It’s also stoking a sense of self-discipline.
“I try to act as if my mom were watching me,” said Eli Romero, a 33-year-old banker at World Business Lenders LLC, who lives in New York. He’s keeping his work e-mails short and only discussing confidential information about a client in person. “The Sony hacking makes me think twice about doing anything on an Internet connection.”
While corporations have long dealt with hackers going after customers’ financial data and trade secrets, the breach at Sony’s Culver City, California-based entertainment unit went much further. Leaked e-mails revealed executive pay, medical records, unflattering comments about Hollywood stars, and even racially insensitive remarks about President Barack Obama. The hack, which the FBI says bears hallmarks of North Korea, is presumed retaliation for the political comedy “The Interview.”
“It really is an eye-opener” for corporate IT executives, said Matt Zabloski, managing director of Delbrook Capital Advisors Inc. in Vancouver, which runs two hedge funds. “They’ve got to figure out a better way to do this or they’re going to lose credibility with the public or place themselves in an awfully embarrassing position.”
Zabloski hands each new hire at Delbrook an extensive procedure manual and warns them that leaked e-mails, even if the content they contain seems unimportant, can backfire.
“Taking that e-mail out of context, as often happens, will shine a negative light on us,” he said. “Once that send button is hit, it’s permanent record. Sensitive data is best dealt with in person or on the telephone.”
The challenge for companies is limiting the damage of potential hacks without restricting necessary communication or encouraging other habits that may be even more dangerous.
“You don’t want so many restrictions that employees move their corporate e-mails to their personal e-mail accounts, which are even more vulnerable,” Frontier’s Wilderotter said. “If you stymie communication and overreach, you can create worse consequences.”
Doing nothing isn’t an option either. Many corporate clients of Mike Denning, who heads global security at Verizon Enterprise Solutions, are increasing training about what can and can’t be published in e-mails and some are requiring that information only be shared on a need-to-know basis.
“This is becoming a board-level issue; it’s becoming a CEO-level issue,” Denning said, who is based in the Washington suburbs. “They’re saying: ‘Could what I just read about also happen to us?’”
Even companies specializing in computer security aren’t immune from the threat. Hackers took $65,000 from the online checking account of Berkeley Varitronics Systems Inc., a cybersecurity firm in Metuchen, New Jersey, that already required complicated and frequently changing passwords.
After the theft, Chief Executive Officer Scott Schober installed new security cameras and hired people to search the “dark Web” to see if his name or company name showed up in hacker-chat forums. The Sony attack only furthered his resolve to depend more on face-to-face conversations instead of e-mail. Just last week, he told an employee: “Some of this I’d rather just talk to you about — I wouldn’t put this in an e-mail.’”
“The irony is that our business is focused on protecting companies,” Schober said in an interview. “It just goes to show everybody is now a target.”
Protecting data can be tricky in an age when greater access to information is encouraged. Cletis Earle, chief information officer for St. Lukeâs Cornwall Hospital in Newburgh, New York, said that as federal regulations have required greater patient access to medical records, he’s urged employees to be discerning with the data shared and not transmit unnecessary personal information. He’s also urged workers to reduce the content in their e-mails to make the hospital’s network less of a target for hackers.